Bug 1046170 (CVE-2013-1753)

Summary: CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, aileenc, akurtako, alee, amcnabb, bkabrda, bleanhar, ccoleman, cdewolf, contribs, cperry, dandread, darran.lofthouse, derks, dmalcolm, dmcphers, drieden, extras-orphan, grocha, gvarsami, ivazqueznet, jason.greene, jawilson, jbpapp-maint, jcoleman, jdetiber, jeffrey.ness, jialiu, jkeck, jkurik, jmatthew, jokerman, jonathansteffan, jorton, katzj, kconner, kseifried, ldimaggi, lgao, lkundrak, lmeyer, mmaslano, mmccomas, mmcgrath, mmraka, mstuchli, myarboro, ncoghlan, nobody+bgollahe, nwallace, pavelp, pgier, pmackinn, pslavice, python-maint, rkuska, rsvoboda, rwagner, soa-p-jira, tcunning, tdawson, tjay, tkirby, tomspur, tradej, vkrizan, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 2.7.9, python 3.3.7, python 3.4.3 Doc Type: Bug Fix
Doc Text:
It was discovered that the Python xmlrpclib did not restrict the size of a gzip compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 15:35:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1185074, 1185077, 1187779, 1187793, 1206574    
Bug Blocks: 1046175, 1210268    

Description Vincent Danen 2013-12-23 22:52:58 UTC 
It was reported [1] that the XMLRPC client library in Python is the only stdlib module that has a gzip decompression handler for compressed HTTP streams.  The gzip_decode() function decompresses HTTP bodies that are compressed and send with Accept-Encoding: x-gzip.  If an XMLRPC program written in python were to contact a malicious server which responded with a specially-crafted HTTP response, it could possibly result in a denial of service of the client (memory exhaustion).

A proposed patch [2] is available, but nothing has been committed or released as there seems to still be some discussion on other enhancements to the patch.


[1] http://bugs.python.org/issue16043
[2] http://bugs.python.org/file28796/xmlrpc_gzip_27.patch
Comment 2 Stefan Cornelius 2014-04-16 14:45:17 UTC 
Introduced via http://hg.python.org/cpython/diff/ffd7cf5c7285/Lib/xmlrpclib.py in Python 2.7 and upstream never backported to this to 2.6.x.

Interestingly, the proposed patch in comment comment #0 [2] does not seem to work for me. Given that this is probably not the final version yet, I did not investigate this any further.
Comment 3 Stefan Cornelius 2014-04-16 16:13:29 UTC 
Statement:

This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as their XMLRPC library did not include support for gzip encoded content.
Comment 4 Tomas Hoger 2014-11-26 13:02:34 UTC 
(In reply to Stefan Cornelius from comment #2)
> Introduced via http://hg.python.org/cpython/diff/ffd7cf5c7285 in Python
> 2.7 and upstream never backported to this to 2.6.x.

This was introduced upstream in 2.7 and 3.2.  It was not backported to 2.6 or 3.1.  The issue remains unfixed upstream.
Comment 5 Tomas Hoger 2015-01-22 20:39:59 UTC 
This issue is now fixed upstream, below links are commits for 2.7, 3.3 and 3.4:

https://hg.python.org/cpython/rev/d50096708b2d
https://hg.python.org/cpython/rev/4a9418c6f8ae
https://hg.python.org/cpython/rev/6b83e21c8679

Since those commits were made, only Python 2.7 had a new upstream release that includes the fix - 2.7.9.  Python 3.3 and 3.4 are likely to include this fix in the next releases - 3.3.7 and 3.4.3.
Comment 6 Tomas Hoger 2015-01-22 20:43:57 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1185074]
Comment 7 Tomas Hoger 2015-01-22 20:44:03 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1185077]
Comment 11 errata-xmlrpc 2015-06-04 08:29:07 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
Comment 12 errata-xmlrpc 2015-11-19 12:42:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html